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In order to be practically useful, quantum cryptography must not only provide a guarantee of 
secrecy, but it must provide this guarantee with a useful, sufficiently large throughput value. 
The standard result of generalized privacy amplification yields an upper bound only on the 
average value of the mutual information available to an eavesdropper. Unfortunately this result 
by itself is inadequate for cryptographic applications. A naive application of the standard result 
leads one to incorrectly conclude that an acceptable upper bound on the mutual information 
has been achieved. It is the pointwise value of the bound on the mutual information, associated 
with the use of some specific hash function, that corresponds to actual implementations. We 
provide a fully rigorous mathematical derivation that shows how to obtain a cryptographically 
acceptable upper bound on the actual, pointwise value of the mutual information. Unlike the 
bound on the average mutual information, the value of the upper bound on the pointwise mutual 
information and the number of bits by which the secret key is compressed are specified by two 
different parameters, and the actual realization of the bound in the pointwise case is necessarily 
associated with a specific failure probability. The constraints amongst these parameters, and 
the effect of their values on the system throughput, have not been previously analyzed. We show 
that the necessary shortening of the key dictated by the cryptographically correct, pointwise 
bound, can still produce viable throughput rates that will be useful in practice. 



I INTRODUCTION 

Quantum cryptography has been heralded as providing 
an important advance in secret communications because 
it provides a guarantee that the amount of mutual in- 
formation available to an eavesdropper can uncondition- 
ally be made arbitrarily small. Any practical realization 
of quantum key distribution that consists only of sifting, 
error correction and authentication will allow some infor- 
mation leakage, thus necessitating privacy amplification. 
Of course, one might contemplate carrying out privacy 
amplification after executing a classical key distribution 
protocol. In the absence of any assumed conditions on 
the capability of an eavesdropper, it is not possible to de- 
duce a provable upper bound on the leaked information in 
the classical case, so that the subsequent implementation 
of privacy amplification would produce nothing, i.e., the 
"input" to the privacy amplification algorithm cannot be 
bounded, and as a result neither can the "output." In the 
case of quantum key distribution, however, the leaked in- 
formation associated with that string which is the input 
to the privacy amplification algorithm can be bounded, 
and this can be done in the absence of any assumptions 
about the capability of an eavesdropper. This bound is 
not good enough for cryptography, however. Neverthe- 
less, this bound on the input allows one to prove a bound 
on the output of privacy amplification, so that one de- 
duces a final, unconditional upper bound on the mutual 
information available to an eavesdropper. Moreover this 



bound can be made arbitrarily small, and hence good 
enough for cryptography, at the cost of suitably shorten- 
ing the final string. 

Except that as usually presented this is not exactly true. 

The above understanding is usually presented in connec- 
tion with the standard result of generalized privacy am- 
plification given in [Q , which applies only to the average 
value of the mutual information. The average is taken 
with respect to a set of elements, namely, the universal 
class of hash functions introduced by Carter and Wegman 
. The actual implementation of privacy amplification, 
however, will be executed by software and hardware that 
selects a particular hash function. The bound on the av- 
erage value of the mutual information does not apply to 
this situation: it does not directly measure the amount 
of mutual information available to an eavesdropper in 
practical quantum cryptography. 

In this paper we calculate cryptographically accept- 
able pointwise bounds on the mutual information which 
can be achieved while still maintaining sufficiently high 
throughput rates. In contrast to a direct application of 
the privacy amplification result of [jjj, we must also con- 
sider and bound a probability of choosing an unsuitable 
hash function and relate this to cryptographic properties 
of the protocol and the throughput rate. The relation 
between average bounds and pointwise bounds of ran- 
dom variables is not new and follows from elementary 
probability theory, as was also noticed in M . 



II PRIVACY AMPLIFICATION 



In ideal circumstances, the outcome of a fc-bit key- 
exchange protocol is a fc-bit key shared between Alice and 
Bob which is kept secret from Eve. Perfect secrecy means 
that from Eve's perspective the shared key is chosen uni- 
formly from the space of /c-bit keys. In practice, one can 
only expect Eve's probability distribution for the shared 
key be close to uniform in the sense that its Shannon en- 
tropy is close to its largest possible value k. Moreover, 
because quantum key-exchange protocols implemented in 
practice inevitably leak information to Eve, Eve's distri- 
bution of the key is too far from uniform to be usable 
for cryptographic purposes. Privacy amplification is the 
process of obtaining a nearly uniformly distributed key 
in a keyspace of smaller bitsize. 

We review the standard assumptions of the underly- 
ing probability model of |Q: Q is the underlying sam- 
ple space with probability measure P. Expectation of 
a real random variable X with respect to P is denoted 
EX. W is a random variable with key material known 
jointly to Alice and Bob and V is a random variable with 
Eve's information about W. W takes values in some fi- 
nite keyspace W. The distribution of W is the function 
Pw(w) = P(W = w) for w £ W. Eve's distribution hav- 
ing observed a value v of V is the conditional probability 
Pw\v=v{w) = P(W = w\V = v) on W. In the the dis- 
cussion that follows, v is fixed and accordingly we denote 
Eve's distribution of Alice and Bob's shared key given v 
by Pevc- H and R denote Shannon and Renyi entropies 
of random variables defined on W relative to Pevc- 

Definition II. 1 Suppose y is a keyspace. If a is a 
positive real number, a mapping 7 : W — » y is an 
a strong uniformizer for Eve's distribution iff H( 7 ) — 



y( zy ^Evo 



( 7 - 1 (y)) log 2 Pevc^ 1 ^)) > log 2 \y\ - a. 



If 7 is an a strong uniformizer, then we obtain a bound 
on the mutual information between Eve's data V and the 
image of the hash transformation Y as follows: 



I(Y, V) = I(Y) - H(Y\V) = log 2 \y\ - H( 7 ) <a. (1) 

Definition II. 2 Let V be a random variable with values 
in y w ( space of functions W — ► y) which is conditionally 
independent of W given V — v i.e. P(T = 7 and W — 
w\V = v) = P(r = 7|F = v) P(W = w\V = v). T is an 
a > average uniformizer for Eve 's distribution iff 



E(RT)>log 2 \y\-a 
where Hf = HT(z) = H(T(z)). 



(2) 



I(Y,TV) = I(Y) - H(Y\TV) = log, \y\ — E(HT) < a . 

(3) 

Uniformizers are produced stochastically. Notice that 
by the conditional stochastic independence assumption, 
z can be assumed to vary independently ofwSW with 
the law PEve- 

Proposition II. 3 Suppose T is an a average uni- 
formizer. Then for every (3 > 0, T(u>) is a (5 strong 
uniformizer for uj outside a set of probability % . 

PROOF. Note that for any 7 : W — * y, H7 is at 
most log 2 \y\. Thus log 2 \y\ — HT is a nonnegative 
random variable. Applying Chebychev's inequality to 
1°S2 1^1 - Hr, it follows that for every (3 > 0, 

P(log 2 |y|-/3>Hr) < ±E(log 2 \y\-KT) 



(log 2 \y\ - E(HT)) 



The random variable T is strongly universal iff for all 



1 

W\' 



(4) 



If r is an a average uniformizer, the bound is on the 
mutual information averaged over the set T: 



P{z:r(z)( X ) = r(z)(x>)}< 

The following is the main result of [[[] : 

Proposition II. 4 (BBCM Privacy Amplification). 

Suppose r is a universal family of mappings W — » y 
conditionally independent ofW. Then T is a 2 82 — — 
average uniformizer for X . 



Ill PRACTICAL RESULTS 

We will refer to the inequality that provides the upper 
bound on the average value of the mutual information 
as the average privacy amplification bound, or APA, and 
we will refer to the inequality that provides the upper 
bound on the actual, or pointwise mutual information as 
the pointwise privacy amplifcation bound, or PPA. 

In carrying out privacy amplification we must shorten 
the key by the number of bits of information that have 
potentially been leaked to the eavesdropper ||. Having 
taken that into account, we denote by g the additional 
number of bits by which the key length will be further 
shortened to assure sufficient secrecy, i.e., the additional 
bit subtraction amount, and we refer to g as the privacy 
amplification subtraction parameter. With this definition 
of g, Bennett et al. [Q show as a corollary of [1.4 that 
the set of Carter- Wegman hash functions is an 2 _9 /ln2 
average uniformizer. We thus have for the APA bound 



2 



on (/), the average value of the mutual information, the 
inequality 



(I)=I(Y,TV) < 



2-3 
In2 



(5) 



In the case of APA the quantity g plays a dual role: in 
addition to representing the number of additional sub- 
traction bits, for the APA case g also directly determines 
the upper bound on the average of the mutual informa- 
tion. 

In the case of PPA we again employ the symbol g to 
denote the number of subtraction bits, as above for APA, 
but the upper bound on the pointwise mutual informa- 
tion is now given in terms of a different quantity g', which 
we refer to as the pointwise bound parameter. Also in the 
case of PPA we need the parameter g", which we refer to 
as the pointwise probability parameter, in terms of which 
we may define the failure probability Pf. This definition 



is motivated by II. 3, from which we find that the Carter- 
Wegman hash functions are 2~ 9 / In 2 strong uniformizcrs 
except on a set of probability 



P 



2~ 9 i2~ 9 



f 



(6) 



In 2/ In 2 

We therefore define the pointwise probability parameter 



g" = g-g' 



(7) 



Thus the quantities <?, g' and g" are not all independent, 
and are constrained by equation ^. In terms of these pa- 
rameters we have for the PPA bound on /, the actual 
value of the mutual information, the inequality 



I(Y, V) < 



2-9 



-{9-9") 



ln2 In 2 

where the associated failure probability Pf is given by 



(8) 



(9) 



The failure probability is not even a defined quantity in 
the APA case, but it plays a crucial role in the PPA 
case. Thus, the bound on the pointwise mutual informa- 
tion is directly determined by the value of the parameter 
g' , with respect to which one finds a tradeoff between g, 
the number of additional compression bits by which the 
key is shortened, and g", the negative logarithm of the 
corresponding failure probability. 



IV APPLICATION OF POINTWISE BOUND 

Operationally, it will usually be the case in practice 
that end-users of quantum key distribution systems will 
be first and foremost constrained to ensure that a given 
upper bound on the pointwise mutual information avail- 
able to the enemy is realized. 

To appreciate the significance of the distinction be- 
tween the PPA and APA results, we will consider an 
illustrative example that shows how reliance on the APA 
bound can lead to complete compromise of cryptographic 
security. We begin with the APA case. As noted above, 
in the case of APA the privacy amplification subtraction 
parameter, which we will now denote by gAPA to empha- 
size the nature of he bound, directly specifies both the 
upper bound on (I) and also the number of bits by which 
the key needs to be shortened to achieve this bound. 
Without loss of generality we take the value of the pri- 
vacy amplification subtraction parameter to be given by 
9apa — 30, which means that, in addition to the com- 
pression by the number of bits of information that were 
estimated to have been leaked, the final length of the key 
will be further shortened by an additional 30 bits. This 
results in an upper bound on the average mutual infor- 
mation given by (I) < 2~ 30 /ln2 ~ 1.34 x I0~ 9 , which 
we take as the performance requirement for this exam- 
ple. While this might appear to be an acceptable bound, 
the fact that it applies only to the average of the mutual 
information of course means that it is not the quantity 
we require. 

We turn to the PPA case, with respect to which we 
will now refer to the privacy amplification subtraction 
parameter as gppA- In order to discuss the PPA bound 
we must select appropriate values amongst gppA, g' and 
g". In the APA case discussed above, the bound on the 
(average) mutual information and the number of sub- 
traction bits are both specified by the same parameter 
gAPA- In the PPA case, the number of subtraction bits 
and the parameter that specifies the bound on the (point- 
wise) mutual information are not the same. To achieve 
the same value for the upper bound on I as we dis- 
cussed for the upper bound on (I) above, we must se- 
lect g' = 30 as the value of the pointwise bound parame- 
ter. From eq.(^J) this indeed yields the required inequality 
I < 2" 30 /ln2 ~ 1.34 x 10~ 9 . However, with respect to 
this requirement on the value on the mutual information, 
i.e., the required final amount of cryptographic secrecy, 
there are a denumerable set (since bits are discrete) of dif- 
ferent amounts of compression of the key that are possi- 
ble to select, each associated with a corresponding failure 
probability, Pf, in the form of ordered pairs {gppA,g") 
that satisfy the constraint given by gppA = <?' + g" (cf 
eq.©). 

Our starting point was the secrecy performance re- 
quirement that must be satisfied. On the basis of the 
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APA analysis above, one might conclude that in order 
to achieve the required secrecy performance constraint it 
is sufficient to shorten the key by 30 bits. However in 
the PPA case, satisfying the same performance require- 
ment and shortening the key by 30 bits means choosing 
identical values for the privacy amplification subtraction 
parameter (gppA = 30) and the pointwisc bound param- 
eter (g' — 30). However, we note from eq.(^) that in the 
case of the PPA bound, gppA and g' become the same 
only when g" = 0, which corresponds to 100% failure 
probability on the upper bound. This is clearly crypto- 
graphically useless! 

This example emphasizes the importance of assuring a 
sufficiently small failure probability in addition to a suffi- 
ciently small upper bound on the mutual information. As 
we see from the above example, the APA result provides 
no information about the correct number of subtraction 
bits that are required in order to achieve a specified up- 
per bound on the pointwise mutual information with a 
suitable failure probability, for which it is essential to use 
the PPA result instead. In Figure 1 we have plotted the 
failure probability as a function of the upper bound on 
the mutual information, for a family of choices of gppA 
values. Returning to the example discussed above for the 
APA bound, we see that if we need to achieve an upper 
bound on / of about 10~ 9 , we may do so with a failure 
probability of about (coincidentally) 10~ 9 , at the cost 
of shortening the final key by 60 bits: the secrecy is dic- 
tated by the pointwise bound parameter value of g' = 30, 
which is effected by choosing gppA — 60, corresponding 
to Pf ~ 10~ 9 . Smaller upper bounds can obviously be 
obtained, with suitable values of the failure probability, 
at the cost of further shortening of the key. 

Failure Probability versus Secrecy Bound for various Privacy Amplification Compressions 
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Mutual Information Upper Bound 

Figure 1 

In Figure 2 we plot the throughput of secret Vernam 
cipher material in bits per second, as a function of bit cell 
period, for the two bit subtraction amounts gppA = 30 
and gppA — 60. The example chosen is a representative 
scenario for applied quantum cryptography. In calculat- 
ing the rate we follow the method described in reference 



||. We assume the use of an attenuated, pulsed laser, 
with Alice located on a low earth orbit satellite at an 
altitude of 300 kilometers and Bob located at mean sea 
level, with the various system parameters corresponding 
to those for Scenario (?) in Section 5.3.2 in ||, except that 
here the source of the quantum bits operates at a pulse 
repetition frequency (PRF) of 1 MHz, and we specifi- 
cally assume that the enemy does not have the capability 
to make use of prior shared entanglement in conducting 
eavesdropping attacks. We see that the additional cost 
incurred in subtracting the amount required to achieve 
the required mutual information bound and failure prob- 
ability reduces the throughput rate by an amount that is 
likely to be acceptable for most purposes. For instance, 
for a source PRF of 1 MHz we find that the throughput 
rate with a value of gppA = 30 is 5614 bits per second. 
With a subtraction amount of gppA = 60 the throughput 
rate drops to 5563 bits per second ||. 



Effective Throughput of Secret Vernam Cipher for Different g-values 
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Figure 2 

V CONCLUSIONS 

The significance and proper implementation of privacy 
amplification in quantum cryptography are clarified by 
our analysis. By itself the bound on the average value 
of the mutual information presented in does not al- 
low one to determine the values of parameters required 
to bound the actual, pointwise value of the mutual in- 
formation. Those parameters must satisfy a constraint, 
which in turn implies a constraint on the final through- 
put of secret key material. We have rigorously derived the 
cryptographically meaningful upper bound on the point- 
wise mutual information associated with the use of some 
specific privacy amplification hash function, and shown 
that the corresponding requirements on the shortening of 
the key still allow viable throughput values. 

f ggilbert@mitre.org 
| mhamrick@mitre.org 
* jt@mitre.org 
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